@fedify/fedify 1.6.0-dev.778 → 1.6.0-dev.790

package/CHANGES.md

@@ -22,6 +22,23 @@ To be released.
 
  -  Added `Router.trailingSlashInsensitive` property.
 
+ -  Implemented HTTP Message Signatures ([RFC 9421]) with double-knocking.
+    Currently, it only works with RSA-PKCS#1-v1.5.  [[#208]]
+
+     -  Added `HttpMessageSignaturesSpec` type.
+     -  Added `SignRequestOptions.spec` option.
+     -  Added `SignRequestOptions.currentTime` option.
+     -  Added `VerifyRequestOptions.spec` option.
+     -  Added `GetAuthenticatedDocumentLoaderOptions.specDeterminer` option.
+     -  Added `GetAuthenticatedDocumentLoaderOptions.traceProvider` option.
+     -  Added `HttpMessageSignaturesSpecDeterminer` interface.
+     -  Added `--first-knock` option to `fedify lookup` command.
+
+ -  The `exportJwk()` function now populates the `alg` property of a returned
+    `JsonWebKey` object with `"Ed25519"` if the input key is an Ed25519 key.
+
+[RFC 9421]: https://www.rfc-editor.org/rfc/rfc9421
+[#208]: https://github.com/fedify-dev/fedify/issues/208
 [#227]: https://github.com/fedify-dev/fedify/issues/227
 
 

package/CONTRIBUTING.md

@@ -232,6 +232,13 @@ the following command:
 deno task -f @fedify/fedify test
 ~~~~
 
+Or you can use `--filter` option to run a specific test.  For example, if you
+want to run the `verifyRequest` test:
+
+~~~~ bash
+deno task -f @fedify/fedify test --filter verifyRequest
+~~~~
+
 If the tests pass, you should run `deno task test-all` command to test
 the library with Deno, Node.js, and [Bun]:
 

package/README.md

@@ -105,7 +105,7 @@ financial contributors:[^2]
 
 ### Backers
 
-Robin Riley, yamanoku, Encyclia, taye, okin, Andy Piper, box464, Evan Prodromou, Rafael Goulart, malte
+Robin Riley, yamanoku, taye, Encyclia, okin, Andy Piper, box464, Evan Prodromou, Rafael Goulart, malte
 
 ### One-time donations
 

package/SPONSORS.md

@@ -26,7 +26,7 @@ Supporters
 Backers
 -------
 
-Robin Riley, yamanoku, Encyclia, taye, okin, Andy Piper, box464, Evan Prodromou, Rafael Goulart, malte
+Robin Riley, yamanoku, taye, Encyclia, okin, Andy Piper, box464, Evan Prodromou, Rafael Goulart, malte
 
 One-time donations
 ------------------

package/esm/deno.js

@@ -1,6 +1,6 @@
 export default {
     "name": "@fedify/fedify",
-    "version": "1.6.0-dev.778+c3a73aa9",
+    "version": "1.6.0-dev.790+3f8325df",
     "license": "MIT",
     "exports": {
         ".": "./mod.ts",
@@ -29,6 +29,7 @@ export default {
         "@std/async": "jsr:@std/async@^1.0.5",
         "@std/bytes": "jsr:@std/bytes@^1.0.2",
         "@std/collections": "jsr:@std/collections@^1.0.6",
+        "@std/crypto": "jsr:@std/crypto@^1.0.4",
         "@std/encoding": "jsr:@std/encoding@1.0.7",
         "@std/http": "jsr:@std/http@^1.0.6",
         "@std/testing": "jsr:@std/testing@^0.224.0",
@@ -42,6 +43,7 @@ export default {
         "mock_fetch": "jsr:@hongminhee/deno-mock-fetch@^0.3.2",
         "multicodec": "npm:multicodec@^3.2.1",
         "pkijs": "npm:pkijs@^3.2.4",
+        "structured-field-values": "npm:structured-field-values@^2.0.4",
         "uri-template-router": "npm:uri-template-router@^0.0.17",
         "url-template": "npm:url-template@^3.1.1"
     },

package/esm/deps/jsr.io/@std/crypto/1.0.4/timing_safe_equal.js

@@ -0,0 +1,55 @@
+// Copyright 2018-2025 the Deno authors. MIT license.
+// This module is browser compatible.
+function toDataView(value) {
+    if (value instanceof DataView) {
+        return value;
+    }
+    return ArrayBuffer.isView(value)
+        ? new DataView(value.buffer, value.byteOffset, value.byteLength)
+        : new DataView(value);
+}
+/**
+ * When checking the values of cryptographic hashes are equal, default
+ * comparisons can be susceptible to timing based attacks, where attacker is
+ * able to find out information about the host system by repeatedly checking
+ * response times to equality comparisons of values.
+ *
+ * It is likely some form of timing safe equality will make its way to the
+ * WebCrypto standard (see:
+ * {@link https://github.com/w3c/webcrypto/issues/270 | w3c/webcrypto#270}), but until
+ * that time, `timingSafeEqual()` is provided:
+ *
+ * @example Usage
+ * ```ts
+ * import { timingSafeEqual } from "@std/crypto/timing-safe-equal";
+ * import { assert } from "@std/assert";
+ *
+ * const a = await crypto.subtle.digest(
+ *   "SHA-384",
+ *   new TextEncoder().encode("hello world"),
+ * );
+ * const b = await crypto.subtle.digest(
+ *   "SHA-384",
+ *   new TextEncoder().encode("hello world"),
+ * );
+ *
+ * assert(timingSafeEqual(a, b));
+ * ```
+ *
+ * @param a The first value to compare.
+ * @param b The second value to compare.
+ * @returns `true` if the values are equal, otherwise `false`.
+ */
+export function timingSafeEqual(a, b) {
+    if (a.byteLength !== b.byteLength)
+        return false;
+    const dataViewA = toDataView(a);
+    const dataViewB = toDataView(b);
+    const length = a.byteLength;
+    let out = 0;
+    let i = -1;
+    while (++i < length) {
+        out |= dataViewA.getUint8(i) ^ dataViewB.getUint8(i);
+    }
+    return out === 0;
+}

package/esm/federation/middleware.js

@@ -7,7 +7,7 @@ import metadata from "../deno.js";
 import { getNodeInfo } from "../nodeinfo/client.js";
 import { handleNodeInfo, handleNodeInfoJrd } from "../nodeinfo/handler.js";
 import { getAuthenticatedDocumentLoader, getDocumentLoader, kvCache, } from "../runtime/docloader.js";
-import { verifyRequest } from "../sig/http.js";
+import { verifyRequest, } from "../sig/http.js";
 import { exportJwk, importJwk, validateCryptoKey } from "../sig/key.js";
 import { hasSignature, signJsonLd } from "../sig/ld.js";
 import { getKeyOwner } from "../sig/owner.js";
@@ -66,6 +66,7 @@ export class FederationImpl extends FederationBuilderImpl {
                 activityIdempotence: ["_fedify", "activityIdempotence"],
                 remoteDocument: ["_fedify", "remoteDocument"],
                 publicKey: ["_fedify", "publicKey"],
+                httpMessageSignaturesSpec: ["_fedify", "httpMessageSignaturesSpec"],
             },
             ...(options.kvPrefixes ?? {}),
         };
@@ -179,6 +180,8 @@ export class FederationImpl extends FederationBuilderImpl {
                 ((identity) => getAuthenticatedDocumentLoader(identity, {
                     allowPrivateAddress,
                     userAgent,
+                    specDeterminer: new KvSpecDeterminer(this.kv, this.kvPrefixes.httpMessageSignaturesSpec),
+                    tracerProvider: this.tracerProvider,
                 }));
         this.userAgent = userAgent;
         this.onOutboxError = options.onOutboxError;
@@ -372,6 +375,7 @@ export class FederationImpl extends FederationBuilderImpl {
                 inbox: new URL(message.inbox),
                 sharedInbox: message.sharedInbox,
                 headers: new Headers(message.headers),
+                specDeterminer: new KvSpecDeterminer(this.kv, this.kvPrefixes.httpMessageSignaturesSpec),
                 tracerProvider: this.tracerProvider,
             });
         }
@@ -674,6 +678,7 @@ export class FederationImpl extends FederationBuilderImpl {
                     headers: collectionSync == null ? undefined : new Headers({
                         "Collection-Synchronization": await buildCollectionSynchronizationHeader(collectionSync, inboxes[inbox].actorIds),
                     }),
+                    specDeterminer: new KvSpecDeterminer(this.kv, this.kvPrefixes.httpMessageSignaturesSpec),
                     tracerProvider: this.tracerProvider,
                 }));
             }
@@ -1939,6 +1944,7 @@ export class InboxContextImpl extends ContextImpl {
                     inbox: new URL(inbox),
                     sharedInbox: inboxes[inbox].sharedInbox,
                     tracerProvider: this.tracerProvider,
+                    specDeterminer: new KvSpecDeterminer(this.federation.kv, this.federation.kvPrefixes.httpMessageSignaturesSpec),
                 }));
             }
             await Promise.all(promises);
@@ -1997,6 +2003,25 @@ export class InboxContextImpl extends ContextImpl {
         }
     }
 }
+export class KvSpecDeterminer {
+    kv;
+    prefix;
+    defaultSpec;
+    constructor(kv, prefix, defaultSpec = "rfc9421") {
+        this.kv = kv;
+        this.prefix = prefix;
+        this.defaultSpec = defaultSpec;
+    }
+    async determineSpec(origin) {
+        return await this.kv.get([
+            ...this.prefix,
+            origin,
+        ]) ?? this.defaultSpec;
+    }
+    async rememberSpec(origin, spec) {
+        await this.kv.set([...this.prefix, origin], spec);
+    }
+}
 function notFound(_request) {
     return new Response("Not Found", { status: 404 });
 }

package/esm/federation/send.js

@@ -1,7 +1,7 @@
 import { getLogger } from "@logtape/logtape";
 import { SpanKind, SpanStatusCode, trace, } from "@opentelemetry/api";
 import metadata from "../deno.js";
-import { signRequest } from "../sig/http.js";
+import { doubleKnock, } from "../sig/http.js";
 /**
  * Extracts the inbox URLs from recipients.
  * @param parameters The parameters to extract the inboxes.
@@ -65,11 +65,11 @@ export function sendActivity(options) {
         }
     });
 }
-async function sendActivityInternal({ activity, activityId, keys, inbox, headers, tracerProvider, }) {
+async function sendActivityInternal({ activity, activityId, keys, inbox, headers, specDeterminer, tracerProvider, }) {
     const logger = getLogger(["fedify", "federation", "outbox"]);
     headers = new Headers(headers);
     headers.set("Content-Type", "application/activity+json");
-    let request = new Request(inbox, {
+    const request = new Request(inbox, {
         method: "POST",
         headers,
         body: JSON.stringify(activity),
@@ -93,12 +93,11 @@ async function sendActivityInternal({ activity, activityId, keys, inbox, headers
             })),
         });
     }
-    else {
-        request = await signRequest(request, rsaKey.privateKey, rsaKey.keyId, { tracerProvider });
-    }
     let response;
     try {
-        response = await fetch(request);
+        response = rsaKey == null
+            ? await fetch(request)
+            : await doubleKnock(request, rsaKey, { tracerProvider, specDeterminer });
     }
     catch (error) {
         logger.error("Failed to send activity {activityId} to {inbox}:\n{error}", {

package/esm/runtime/docloader.js

@@ -4,7 +4,7 @@ import { HTTPHeaderLink } from "@hugoalh/http-header-link";
 import { getLogger } from "@logtape/logtape";
 import process from "node:process";
 import metadata from "../deno.js";
-import { signRequest } from "../sig/http.js";
+import { doubleKnock, } from "../sig/http.js";
 import { validateCryptoKey } from "../sig/key.js";
 import preloadedContexts from "./contexts.js";
 import { UrlError, validatePublicUrl } from "./url.js";
@@ -238,7 +238,7 @@ export function fetchDocumentLoader(url, allowPrivateAddress = false) {
  * @throws {TypeError} If the key is invalid or unsupported.
  * @since 0.4.0
  */
-export function getAuthenticatedDocumentLoader(identity, { allowPrivateAddress, userAgent } = {}) {
+export function getAuthenticatedDocumentLoader(identity, { allowPrivateAddress, userAgent, specDeterminer, tracerProvider } = {}) {
     validateCryptoKey(identity.privateKey);
     async function load(url) {
         if (!allowPrivateAddress) {
@@ -252,20 +252,8 @@ export function getAuthenticatedDocumentLoader(identity, { allowPrivateAddress,
                 throw error;
             }
         }
-        let request = createRequest(url, { userAgent });
-        request = await signRequest(request, identity.privateKey, identity.keyId);
-        logRequest(request);
-        const response = await fetch(request, {
-            // Since Bun has a bug that ignores the `Request.redirect` option,
-            // to work around it we specify `redirect: "manual"` here too:
-            // https://github.com/oven-sh/bun/issues/10754
-            redirect: "manual",
-        });
-        // Follow redirects manually to get the final URL:
-        if (response.status >= 300 && response.status < 400 &&
-            response.headers.has("Location")) {
-            return load(response.headers.get("Location"));
-        }
+        const originalRequest = createRequest(url, { userAgent });
+        const response = await doubleKnock(originalRequest, identity, { specDeterminer, log: logRequest, tracerProvider });
         return getRemoteDocument(url, response, load);
     }
     return load;